CVE-2025-47285

Name of the Vulnerable Software and Affected Versions: Vyper versions up to and including 0.4.2rc1

Description: The issue arises from the concat() function potentially skipping the evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation that skips the evaluation of argument expressions when their length is zero. Typically, zero-length bytestrings are constructed with the empty literal b"", and it would be unusual for user code to construct zero-length bytestrings using expressions with side effects. However, such side effects could be introduced using the ternary operator, for example, b"" if self.do some side effect() else b"".

Recommendations: For versions up to and including 0.4.2rc1, as a temporary workaround, avoid having side effects in expressions that construct zero-length bytestrings. Update to version 0.4.2 or later, which is expected to include the fix available in pull request 4644.